In this step, each of the bytes in the matrix is changed to another byte by Table 8.1, called the S-box.

Table 8.1 S-Box for Rijndael

Write a byte as eight bits: abcdefgh. Look for the entry in the abcd row and efgh column (the rows and columns are numbered from 0 to 15). This entry, when converted to binary, is the output. For example, if the input byte is 10001011, we look in row 8 (the ninth row) and column 11 (the twelfth column). The entry is 61, which is 111101 in binary. This is the output of the S-box.

The output of SubBytes is again a $4\times 4$ matrix of bytes, let’s call it

The four rows of the matrix are shifted cyclically to the left by offsets of 0, 1, 2, and 3, to obtain

Regard a byte as an element of $GF(2^8)$, as in Section 3.11. Then the output of the ShiftRows step is a $4\times 4$ matrix $(c_{i\text{,}j})$ with entries in $GF(2^8)$. Multiply this by a matrix, again with entries in $GF(2^8)$, to produce the output $(d_{i\text{,}j})$, as follows:

The round key, derived from the key in a way we’ll describe later, consists of 128 bits, which are arranged in a $4\times 4$ matrix $(k_{i\text{,}j})$ consisting of bytes. This is XORed with the output of the MixColumns step:

This is the final output of the round.

The original key consists of 128 bits, which are arranged into a $4\times 4$ matrix of bytes. This matrix is expanded by adjoining 40 more columns, as follows. Label the first four columns $W(0)\text{,}W(1)\text{,}W(2)\text{,}W(3)$. The new columns are generated recursively. Suppose columns up through $W(i-1)$ have been defined. If $i$ is not a multiple of 4, then

If $i$ is a multiple of 4, then

where $T(W(i-1))$ is the transformation of $W(i-1)$ obtained as follows. Let the elements of the column $W(i-1)$ be $a\text{,}b\text{,}c\text{,}d$. Shift these cyclically to obtain $b\text{,}c\text{,}d\text{,}a$. Now replace each of these bytes with the corresponding element in the S-box from the SubBytes step, to get 4 bytes $e\text{,}f\text{,}g\text{,}h$. Finally, compute the round constant

in $GF(2^8)$ (recall that we are in the case where $i$ is a multiple of 4). Then $T(W(i-1))$ is the column vector

In this way, columns $W(4)\text{,}\dots \text{,}W(43)$ are generated from the initial four columns.

The round key for the $i$th round consists of the columns

Although the S-box is implemented as a lookup table, it has a simple mathematical description. Start with a byte $x_7{x}_6{x}_5{x}_4{x}_3{x}_2{x}_1{x}_0$, where each $x_i$ is a binary bit. Compute its inverse in $GF(2^8)$, as in Section 3.11. If the byte is 00000000, there is no inverse, so we use 00000000 in place of its inverse. The resulting byte $y_7{y}_6{y}_5{y}_4{y}_3{y}_2{y}_1{y}_0$ represents an eight-dimensional column vector, with the rightmost bit $y_0$ in the top position. Multiply by a matrix and add the column vector $(1\text{,}1\text{,}0\text{,}0\text{,}0\text{,}1\text{,}1\text{,}0)$ to obtain a vector $(z_0\text{,}{z}_1\text{,}{z}_2\text{,}{z}_3\text{,}{z}_4\text{,}{z}_5\text{,}{z}_6\text{,}{z}_7)$ as follows:

The byte $z_7{z}_6{z}_5{z}_4{z}_3{z}_2{z}_1{z}_0$ is the entry in the S-box.

For example, start with the byte $11001011$. Its inverse in $GF(2^8)$ is $00000100$, as we calculated in Section 3.11. We now calculate

This yields the byte 00011111. The first four bits 1100 represent 12 in binary and the last four bits 1011 represent 11 in binary. Add 1 to each of these numbers (since the first row and column are numbered 0) and look in the 13th row and 12th column of the S-box. The entry is 31, which in binary is 00011111.

Some of the considerations in the design of the S-box were the following. The map $x\mapsto x^{-1}$ was used to achieve nonlinearity. However, the simplicity of this map could possibly allow certain attacks, so it was combined with multiplication by the matrix and adding the vector, as described previously. The matrix was chosen mostly because of its simple form (note how the rows are shifts of each other). The vector was chosen so that no input ever equals its S-box output or the complement of its S-box output (complementation means changing each 1 to 0 and each 0 to 1).